EHR Vendor Contract Controversy Persists

by Bonnie Darves, iHealthBeat Contributing Reporter

Like many industries that evolve in a somewhat unregulated marketplace, health IT has enjoyed a bit of a Wild West existence, albeit within a highly competitive environment. The scene is changing. Products' merits and their pivotal position within the care delivery system -- particularly with regard to patient safety -- face increasing scrutiny, as quality improvement advocates, policymakers and even the health IT community press for more transparency and, potentially, regulation.   

One hot-button issue is electronic health record vendor contract language that some claim impedes safety improvement. Two types of clauses have landed in the limelight:

  • "Hold harmless" clauses that require purchasers to indemnify vendors for errors, injuries or malpractice claims arising from use of the product; and
  • Clauses that prohibit users' open disclosure of identified product defects, glitches or hazards.

The American Medical Informatics Association, in a November 2010 position paper, and the Institute of Medicine, in its November 2011 health IT safety report, called for eradication of such clauses on the grounds that they run counter to public policy and safety-improvement interests.

EHR vendors, for their part, have cited their right to protect their intellectual property and to manage processes by which problems are reported and addressed. Some also claim that liability for errors or safety threats that occur because of faulty implementation or user incompetence should rest with those responsible.

Kenneth Goodman -- who led the AMIA task force that produced the position paper and chairs the bioethics program at the University of Miami -- contends that disputes about ownership and relative liability miss the main point: EHRs are not just any consumer product.

"No one begrudges anyone the right to their intellectual property. What we are insisting on is that the agreements by which the intellectual property is rolled out in the service of patient care be made transparent," he said, citing the model used with prescription drugs and medical devices. EHRs, Goodman contends, should be held to the same standard.

"We need to know their safety records, how well they work, and whether or not they give physicians and nurses the tools they need to do their job," he said. "Anything that prevents open, public evaluation of these crucial tools is an impediment to improving them."

Confidentiality Clauses and Liability

The HIMSS EHR Association, an EHR vendor trade association, says it is neither in a position -- nor willing -- to govern members' behavior. As a matter of policy, the group has not collected data on how many vendors employ such clauses, according to officials.

"We don't endorse vendors having special confidentiality clauses with their clients. But at same time ... we can't mandate what they do or don't do," Charlie Jarvis -- vice chair of the EHR association and vice president of health care services and government relations for NextGen Healthcare -- said, adding, "We've never sought that [contract] information or collected [it]."

Susan Ridgely -- a senior policy analyst at RAND Corporation whose work focuses on the intersection of health IT, public policy and liability -- takes a broad view on contract issues. Clauses that prohibit disclosure of safety issues that arise in using health IT products "seem contrary to public policy," said Ridgely, a lawyer. But she thinks clauses that shift liability for errors to users if the health IT system has not been installed per the vendor's recommendations or has been modified in a way that may affect the product’s function are "somewhat reasonable."

In general, the notion of apportioning liability is a difficult one, especially in an arena as complex as health care delivery, Ridgely maintains, and contracts are by their nature negotiable. She suggests that efforts would be better spent on reducing risk than arguing about clauses and relative liability for safety-related events.

She said, "People say, 'We have to sign these hold-harmless clauses.' And I say, 'Where are your lawyers?' What we really need to ensure is that whoever can best mitigate the risk is the one who holds the risk."

Like other industry observers, Ridgely said that, in the absence of regulation, the government should convene stakeholders "to figure out an appropriate way to distribute the risk. That would be incredibly helpful."

Safety Reporting -- How Open?  

The issue of nondisclosure clauses -- particularly considerations of when, where, how and by whom health IT-associated errors and safety problems should be reported -- is similarly challenging. Both health IT vendors and safety advocates agree that the advent of government-sanctioned patient safety organizations is a step in the right direction. But confidentiality concerns regarding reporting individual identities, products and patients remain unresolved from a liability standpoint.

Health IT safety improvement proponents argue that the reporting environment should be completely transparent to enable users, across products, to share safety concerns and near misses, report product flaws and engage in open product comparisons without fear of violating contracts. However, vendors are concerned that such exchanges could unleash a liability field day for trial lawyers.

Michael Stearns -- president and CEO of e-MDs, an EHR vendor -- said that the vendor community should welcome and enable more transparency in safety reporting, but not at the expense of being left out of the initial loop.

"The vendors feel strongly that we need to be involved with anything that goes on with our product. We want to analyze it and prevent it from happening with other installations," Stearns said.

HIMSS EHR Association members have commenced discussions with the Agency for Healthcare Research and Quality regarding legal issues and nuances pertaining to how reported information can be disseminated and identified problems resolved, according to Stearns. "We are trying to make sure there are no barriers to the unfettered access to any information we need," he said.

Stearns and Jarvis point to the reporting avenues that exist for EHR users -- namely vendors' own user groups and the recently launched EHREvent reporting platform hosted by PDR Network. However, both have their limitations. User groups are vendor specific and might not have enough participation to yield information that will improve product safety across the board, some contend. And EHREvent, managed through an AHRQ-recognized PSO, hasn't exactly caught on like wildfire, admits Steven Merahn, PDR Network's chief medical officer.

"Despite strong interest on the part of clinicians and organizations, report volumes are fairly limited. We are talking dozens of reports, not hundreds," Merahn said. "We have not had sufficient critical mass to do any modeling, pattern or root-cause analysis."

Government Guidance Sought

The current burning issue is how any PSO's "patient safety work product" following an event's analysis will be treated from the standpoint of data protection.

Stakeholders -- including the vendor and provider communities -- are pressing the government, particularly AHRQ and the Office of the National Coordinator for Health IT, to provide that guidance.

Jodi Daniel, director of ONC's Office of Policy and Planning, said that ONC and AHRQ are working on the issue.

"We are gathering critical input from various stakeholders to make this happen. PSOs are a keystone in ... improving patient safety, and we want them to have the best possible input," Daniel said, adding, "Improving patient safety with health IT requires better information from reporting of errors or potential errors, good analysis of this information, and translation of the learning into practice."

ONC is in the process of trying to better understand the product usage landscape and the approaches that would promote and support a culture of safety in a health IT-enabled environment. The agency will provide guidance when those issues are better illuminated, Daniel said.

ONC is actively working in concert with AHRQ and other federal partners to develop a coordinated health IT safety surveillance and action plan, according to Daniel. However, she provided no specifics on when the plan will be available other than to say that "we anticipate releasing [it] in the future."

to share your thoughts on this article.